Learn AD in 15 Minutes a Week: Active Directory Schema Master

Welcome to the ninth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This
installment is going to begin the more detailed discussion
of the Windows 2000 Active Directory Single Masters of
Operation. This particular article is going to be a more
detailed breakdown of the Schema Master Flexible Single
Masters of Operation Domain Controller.

Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week presents a detailed breakdown of the Schema Master Flexible Single Masters of Operation Domain Controller.

[NOTES FROM THE FIELD] - Some of the sections
below are a recap from my
Active Directory Single Masters of Operation article. It
does seem like overkill to a degree to include three
paragraphs from that column here, but rather than have the
reader go back and forth for reference, I have included the
most important sections here.

Overview

In the Windows 2000 Active Directory,
there are certain specific domain controllers that are
assigned the extra role of Operations master. Sometimes
referred to as Flexible Single Masters of Operation (FSMO)
servers, these roles are special roles assigned to one or
more domain controllers in an Active Directory domain and
forest. The domain controllers assigned these roles perform
single-master replication of the data they are in charge of
(or, if they have more than one role placed on them,
multiple replication, albeit, independently of one another).
Some of these servers hold forest-wide operations master
roles and others hold domain-wide operations master roles.

The Windows 2000 Active Directory
design supports multimaster replication of the Active
Directory domain database partition between all domain
controllers in the domain. This basically means that you can
make changes to the domain database partition at any given
domain controller, such as functions at a user level like
changing your domain password all the way up to a Domain
Administrator adding new users to the domain at a remote
site by hitting the local domain controller at that site.

[NOTES FROM THE FIELD] - Back in the NT4 days
this was not the case. All changes from user passwords to
new user creation happened only on the Primary Domain
Controller. This meant that if your headquarters (and PDC)
was in England and you were at the New York offices and
changed your password, that change had to "travel" back to
the PDC in London to take effect. The same would be true if
you were a Domain Administrator temporarily working out of
the Los Angeles office. You would have to "connect" to the
PDC in London to perform the administration.

When you simply logged on to the domain in New York,
LA, or wherever, you could authenticate against the Backup
Domain Controller, which held a read-only Accounts database.
The read-only database allowed the remote people to log on
using it rather than requiring them to hit the PDC.

Other types of changes are impractical
to perform in multimaster fashion, such as those to the
Schema and Configuration Partitions. Since these partitions
and other types of changes are too sensitive to be done in a
multimaster fashion, specific domain controllers are
assigned to handle these operations. Since these specific
domain controllers handle these particular functions
(sometimes referred to as single-master operations), these are
the only places within the domain or forest where the copies
of these databases are read/write. Everywhere else any copy
of these databases reside, it is a read-only copy.

[NOTES FROM THE FIELD] - The
read-only database copies of the Schema and Configuration
partition operate just like the old domain (SAM) data did
under NT4.

Any changes to the SAM database in
NT4 had to go to the PDC. Any changes that need to be made
to the Schema, for example, go to the Schema Master.